July is always an exciting month if you are like us at the Adaware Malware Labs Team and enjoy reading countless security reports. While friends, family, and co-workers are enjoying the great outdoors, having barbecues and watching fireworks. The team is hunkered down reading US Government security reports and analyzing the latest trends of cyber criminals – after all, crime and online criminals never rest.
Amongst this summer’s readings, we came across a fascinating new report from the United States Treasury department entitled: Financial Trend Analysis. In the report, authored by the Financial Crimes Enforcement Network (FinCEN), they discuss the significant rise of Business Email Compromise (BEC) scams, the financial toll it has been playing on businesses of all sizes, and how these types of scams are affecting how organizations operate and with regards to security policies.
Although this report was quite detailed and very informative, one factor that is not discussed but is highly relevant is the growing number of businesses that have had their systems compromised because of employees using their own personal PC’s at home or on the road to do office work. In part one of this two-part article, we will look at what is a BEC scam and how organizations are coping with this type of threat. In the next article, we will look at the role that home systems inadvertently play in propagating this type of fraud. We will also look at some best practices to help prevent it from occurring.
So what is a Business Email Compromise (BEC)?
According to FinCen: BEC is a type of scam that targets businesses (and other types of organizations, such as educational institutions, government, and non-profits) and their fund transfers. Scammers generally target organizations that conduct large wire transfers in the course of their usual business and rely on email for much of their communication regarding the wires. Recent reporting also indicates that other financial products, such as convertible virtual currency (BitCoin), automated clearing house transfers, and gift cards, have been used in BEC schemes.
How does a BEC Scam work?
Firstly, the typical BEC – or CEO fraud – scheme starts with attackers stealing the email credentials of a top executive through spear phishing, specialized malware, and spoofed emails. Then through social engineering, they impersonate that executive, sending urgent messages to lower-level employees tricking them into thinking that a legitimate email from a trusted person or entity is directing them to transfer or wire money to bank accounts. In other cases, the attackers spoof a company’s business partner.
Costs to the U.S. economy – $300 million per month
Between 2016 and today, there has been a steady increase in the quantity of BEC attacks. The business email compromise scam has particularly targeted the construction and manufacturing sectors in the United States. The U.S. Treasury Department has indicated that these organizations account for over thirty percent of all reported incidents in the year 2018. Significant increases in BEC attacks have also been reported within the commercial services sector that includes shopping centers, entertainment facilities, hotels.
Cybercriminal techniques are getting better
Then the types of BEC scams have also evolved over time, the Treasury Department report found.
For example, impersonating a CEO or other high-ranking business officer accounted for 33 percent of sampled incidents in 2017, declining to 12 percent in 2018, while impersonation of an outside entity was 20 percent of 2018 reports, from an unmeasured amount in 2017. Using fraudulent vendor or client invoices grew, from 30 percent of sampled 2017 incidents to 39 percent in 2018.
In our next article, we will also go into details on how compromised personal computers are actually making it easier for cybercriminals to launch BEC Scams.